What Is VoIP Phishing and How Does It Work?

convict with golden key opening a padlock on a cell phone

 Getty Images / Ja_inter

Phishing is an attack against data privacy whereby the victim himself gives out his personal data, after biting the bait. Not very different from 'fishing'! Phishing over VoIP is becoming so rampant that a special term has been assigned to it: vhishing.

In this article we look at:

  • How phishing works
  • Examples of phishing attacks
  • VoIP and phishing
  • How VoIP makes phishing easier
  • How to prevent and avoid phishing

How Phishing Works?

Phishing is a type of attack that has gained popularity and is an easier way for data thieves to obtain what they want. Out of the millions of smartphone and internet users out there, there still is a large bunch of naive users who get bamboozled.

Phishing works like this: a data thief sends you an email message or a voice mail making it seem like it is an official message from a company you have financial or other interests with, like your bank, PayPal, eBay etc. In the message, you are informed about a problem which puts you in alarm and you are requested to go to a site or phone a number where you have to give your personal data like credit card number, passwords, etc.

Some users are so easily lured that attackers trick them into giving their credit card number, expiration date and security code, which they use to make transactions using the credit card or make cloned credit cards. That can be financially devastating.

Examples of Phishing Attacks

Here are examples of ways in which you can be attacked if you are a phishing target:

  1. You get an email from PayPal, eBay or companies of their like, informing you of some irregularity on your part, and stating that your account is frozen. You are told that the only way to free your account is to go to a given link and give your password and other personal information.
  2. You get a voicemail from your internet banking department saying that someone has tried to tamper with your password and that something has to be done quickly to save your account. You are requested to phone a given number and give your credentials so that you can change your existing account credentials.
  3. You get a phone call from your bank saying that they have noticed some suspicious or fraudulent activities on your bank account, and asking you to either phone back (because most of the time the voice is pre-recorded) and/or give your bank account number, credit card number, etc.

As a concrete example, some time ago, a customer was informed about the suspension of his account in Bank of America because it was supposedly used to purchase adult-themed goods or services. The message went like this:

"We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." The victim was asked to enter certain information, including his bank PIN, in these words, "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities."

VoIP and Phishing

Before VoIP became popular, phishing attacks were made through spam email messages and PSTN landline phones. Since the advent of VoIP in many homes and businesses, phishers (or phishermen?) have turned to making phone calls, which has a higher accessibility rate compared to email.

The question arises as to why phishers did not use phones using PSTN before VoIP. The PSTN is maybe the most secure modern means of telecommunication and has maybe the most secure network and infrastructure. VoIP is more vulnerable than PSTN.

How VoIP Makes Phishing Easier

Phishing is made easier for attackers using VoIP for the following reasons:

  • VoIP is cheaper than PSTN and is now quite widely available.
  • With VoIP, attackers can tamper with the caller ID that appears to the users and makes it appear as if their bank or any other trusted organization is contacting them.
  • VoIP software for PBXs, like the very popular open-source Asterisk, gives so much power to the programmer that now, people with minimum skills can achieve what only nerds could before. Any programmer with basic knowledge of VoIP can manipulate its deployment and make a bank of fake numbers that they can use to dupe their victims without compromising their own identities.
  • VoIP hardware, like IP phones, ATAs, routers, IP-PBXs, have become affordable and the software that accompanies them are more user-friendly, thus facilitating the task for manipulators. These devices are also very portable and could be taken anywhere.
  • VoIP hardware and their easy integration with PCs and other computer systems (like with voicemail) make it easy for vishers to record phone calls of numerous victims who have been hooked, without having to be there themselves for the work.
  • Unlike for PSTN, VoIP numbers can be set up and destroyed in a matter of minutes, it is nearly impossible for authorities to track vishers down.
  • With VoIP, vishers can send one message to thousands of recipients at one go, instead of having to type one single number for each vishing call.
  • Using VoIP, an attacker can create a virtual number for any country. He can then use a local number and forward the calls overseas, thereby emulating popular financial institutions in Europe or the US.
Was this page helpful?